Haystack Password Validator

The Haystack Password Validator may be used to estimate the quality of a password using a combination of the number and types of characters in a password. It is based on the concept of password haystacks as described at https://www.grc.com/haystack.htm. It provides a way to require strong passwords that can withstand a prolonged brute-force attack in a way that is often less frustrating for end users than configuring separate length-based and character set password validators.

A long password containing only lowercase letters may be stronger (in terms of the brute-force effort required to crack the password) than a password of moderate length that uses a combination of character types (e.g., lowercase letters, uppercase letters, numeric digits, and symbols). This validator encourages the use of passphrases (passwords that are actually comprised of multiple words), which can be simultaneously stronger and easier to remember than passwords with a wider range of characters.
Although this validator can provide good protection against passwords that are resistant to brute force attacks, it is still recommended that it be used in conjunction with other validators (e.g., those that ensure the proposed password isn't in a dictionary of commonly-used passwords or in an attribute value in the user's entry) for a higher degree of protection.
This implementation uses four hard-coded character sets:

In order to compute the brute force search space size for a proposed password, use the following process:
  1. Determine which character sets are represented in the proposed password. For example, the string "pa55w0rd" contains characters from two sets: lowercase ASCII letters and numeric digits.
  2. Determine the total number of characters in all of the sets used in the proposed password. This sum is called the search space depth. For example, because "pa55w0rd" contains lowercase ASCII letters (26 characters) and numeric digits (10 characters), the search space depth for that password is 26+10=36. Note that in this implementation, if a password contains one or more characters outside of the predefined sets, the search space depth will always be assumed to be 256.
  3. Let "L" represent the length of the password in bytes, and let "D" represent the search space depth computed above. The total brute force search space size for a proposed password may be determined by computing the summation of each integer value in the range 1..length for the search space depth raised to the power of that integer. For example, the string "pa55w0rd" has a length of eight bytes, so the brute force search space size for that string would be 36^1 + 36^2 + 36^3 + 36^4 + 36^5 + 36^6 + 36^7 + 36^8 = 2,901,713,047,668.
Therefore, it would require nearly three trillion guesses for a brute force attacker trying every possible combination of lowercase letters and numeric digits to be guaranteed to land upon "pa55w0rd". This may sound like a lot, but if we assume that a determined attacker who has access to an encoded password and the ability to try 100 billion guesses per second, then they would be able to crack the password in a little under 30 seconds.

Parent Component Properties dsconfig Usage

Parent Component

The Haystack Password Validator component inherits from the Password Validator

Properties

The properties supported by this managed object are as follows:


Basic Properties: Advanced Properties:
 description  None
 enabled
 validator-requirement-description
 validator-failure-message
 assumed-password-guesses-per-second
 minimum-acceptable-time-to-exhaust-search-space

Basic Properties

description

Description
A description for this Password Validator
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

enabled

Description
Indicates whether the password validator is enabled for use.
Default Value
None
Allowed Values
true
false
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

validator-requirement-description

Description
Specifies a message that can be used to describe the requirements imposed by this password validator to end users. If a value is provided for this property, then it will override any description that may have otherwise been generated by the validator.
Default Value
The requirement description will be automatically generated by the password validator.
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

validator-failure-message

Description
Specifies a message that may be provided to the end user in the event that a proposed password is rejected by this validator. If a value is provided for this property, then it will override any failure message that may have otherwise been generated by the validator.
Default Value
The requirement description will be automatically generated by the password validator.
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

assumed-password-guesses-per-second

Description
The number of password guesses per second that a potential attacker may be expected to make. The value must be specified as an integer. However, since it may be a large value, you may use non-digit characters (e.g., commas, periods, spaces, or underscores) to improve readability.
If an attacker does not have access to the encoded form of the password, then the only attack vector will be to try an online attack, in which they send authentication requests to the server as quickly as possible. If the attacker has direct LDAP access to the directory server, and the server is not configured with any rate limiting or to lock accounts after a number of authentication failures, then it may be possible to try tens or hundreds of thousands of authentication attempts per second.
If an attacker does have access to the encoded form of a password, then they can take advantage of much faster offline attacks. Depending on the algorithm used to encode the password and the type of hardware being used for the password cracking attempts, then they may be able to make hundreds of billions of guesses per second.
Default Value
100,000,000,000
Allowed Values
A string
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

minimum-acceptable-time-to-exhaust-search-space

Description
The minimum length of time (using the configured number of password guesses per second) required to exhaust the entire search space for a proposed password in order for that password to be considered acceptable.
Default Value
1 w
Allowed Values
A duration. Lower limit is 1 seconds.
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action


dsconfig Usage

To list the configured Password Validators:

dsconfig list-password-validators
     [--property {propertyName}] ...

To view the configuration for an existing Password Validator:

dsconfig get-password-validator-prop
     --validator-name {name}
     [--tab-delimited]
     [--script-friendly]
     [--property {propertyName}] ...

To update the configuration for an existing Password Validator:

dsconfig set-password-validator-prop
     --validator-name {name}
     (--set|--add|--remove) {propertyName}:{propertyValue}
     [(--set|--add|--remove) {propertyName}:{propertyValue}] ...

To create a new Haystack Password Validator:

dsconfig create-password-validator
     --validator-name {name}
     --type haystack
     --set enabled:{propertyValue}
     [--set {propertyName}:{propertyValue}] ...

To delete an existing Password Validator:

dsconfig delete-password-validator
     --validator-name {name}